Even when companies do allude to an attack in SEC filings, they typically resort to euphemisms rather than the very word that best describes what paralyzed their business and caused millions of dollars in losses. Just as wizards in the Harry Potter books speak of evil Lord Voldemort as “He Who Must Not Be Named,” so companies are loath to refer to dreaded ransomware.

“They specifically avoid saying it,” said Bill Siegel, chief executive of Coveware, a Connecticut-based firm that analyzes ransomware victims’ options and often pays the ransom on their behalf. “They generally don’t use the word ‘ransomware’ for obvious reasons. It’s an ugly term. It scares people.” By using more generic terms, “You can put it out there, and you’ve officially said something, but you’ve also said nothing that can get you in any sort of trouble any which way.”